[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9F8B3E280114D611910700508BBD230A0349BDFC@DEBAGE91.bertelsmann.de>
From: Carsten.Truckenbrodt at Bertelsmann.de (Carsten.Truckenbrodt@...telsmann.de)
Subject: AW: MS should point windowsupdate.com to 127.0.
0.1
Hi,
This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local /16
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.
If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.
Best Regards,
Carsten Truckenbrodt
Arvato systems Network Security
-----Urspr?ngliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@...ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@...ts.netsys.com
Cc: security@...rosoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Folks,
How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?
This will null the effect of the syn flood very effectively. Only proxies
will be affected.
As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways ...
So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site .. that should not be all that much of a problem.
If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.
Because the local techs have no clue, it will
take the affected companies ages to get back on the net.
tobi
--
______ __ _
/_ __/_ / / (_) Oetiker @ ISG.EE, ETZ J97, ETH, CH-8092 Zurich / // _ \/
_ \/ / System Manager, Time Lord, Coder, Designer, Coach
/_/ \.__/_.__/_/ http://people.ee.ethz.ch/~oetiker +41(0)1-632-5286
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists